Results 1 to 2 of 2

Thread: /tmp racing

Hybrid View

  1. #1

    /tmp racing

    What exactly is this about? I recently (in a hackers contest) made a bash script that exploited a weakness like that, but I still don't understand how it works. Here's the code I used:

    while true
    rm -f /var/tmp2/ps2.tmp
    ln -s /bin/pass /var/tmp2/ps2.tmp
    A guy helped me on how to do it, but he didn't explain what it did. Can anyone help? Here are some indications:
    - /usr/bin/ps2 is setuid level9 and group level8 has execute permissions.
    - /bin/pass gives the password of our effective ID. So, since /usr/bin/ps2 is setuided, we wanted to run /bin/pass at the same time.
    - /usr/bin/ps2 makes a tmp file: /var/tmp2/ps2.tmp

    I don't have the source code of ps2, but can anyone tell me what happens? Why when I link /bin/pass after the file is removed, it executes /bin/pass?

  2. #2
    redhead's Avatar
    Join Date
    Jun 2001
    Copenhagen, Denmark

    Re: /tmp racing

    Since ps2 has SUID bit set, we like it, because a SUID program is like having root on the box..

    At the same time ps2 makes the temp file, we want to exploit the possibillety of tricking it to do our job, if we're fast enough and can replace its temp file while it's not looking, we can have it running what ever we replaced the temp file with as SUID, which basicaly means we can use /bin/pass with SUID rights..

    thats how simple this script is... Same thing was exploited in ed/vi once, when someone found out the "random" name vi/ed would give /etc/shadow and /etc/passwd while you were editing them..

Similar Threads

  1. Project Gotham Racing 2
    By Marik in forum Windows - General Topics
    Replies: 4
    Last Post: 02-23-2005, 06:10 PM
  2. racing game
    By agar in forum Linux - Software, Applications & Programming
    Replies: 10
    Last Post: 12-11-2001, 02:30 AM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts